[riot-notifications] [RIOT-OS/RIOT] gnrc_tftp: Fix out-of-bounds memory access when comparing modes (#11737)

nmeum notifications at github.com
Sun Jun 30 23:05:47 CEST 2019


nmeum commented on this pull request.



> @@ -1047,6 +1047,10 @@ int _tftp_decode_start(tftp_context_t *ctxt, uint8_t *buf, gnrc_pktsnip_t *outbu
 
     /* decode the TFTP transfer mode */
     for (uint32_t idx = 0; idx < ARRAY_LEN(_tftp_modes); ++idx) {
+        if (_tftp_modes[idx].len > (inpkt->size - sizeof(*hdr) - fnlen)) {

No, I strongly disagree. Just because the RFC requires valid messages to use null-terminators for strings doesn't mean that an attacker can't forge a malicious message without terminating null bytes.

Since the packet buffer itself doesn't seem to be terminated with a null byte using a string function on it might result in an out-of-bounds read, reading memory of other packets in the pktbuf.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/RIOT-OS/RIOT/pull/11737#discussion_r298849509
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190630/c94fea23/attachment.html>


More information about the notifications mailing list